A place to rant about things I'm working on and to try to educate as many as possible.

So it’s been forever since I have posted. I have been busy between leaving the military, school, and having a REAL job now. Today I had the privilege of speaking at the Second Annual Cyber Security Conference for Collin College hosted by North Texas ISSA. Below is a copy of my presentation from that conference.

So I’ve gone a bit cray cray since DOGE came out, thanks to connection (she LOVES that I have spent so much time screwing with coins btw >.<). Totally understood how much of a joke it was, but it gave me my first glimpse of what cryptocurrency was and I started researching. Everything I’ve found out with it, I’ve ensured to try and share back the knowledge with the community (mainly on /r/bitcoinforbeginners). A shout out to giveen is deserved as well since he helped me understand a lot of the trading aspects.

So what I have done is taken EVERY coin I could find that had a faucet and added it below. I’m aware that I probably missed a ton and if you know of any, please let me know below or through the contact form and I will get it/them added.

So, I have been extremely terrible about not blogging recently and for that I’m sorry. Life has been hectic. This is a quick post to say that my wordlist, which was originally on a torrent, has been on bindshell for quite awhile thanks to @jmgosney. Along with that, it was overhauled because when the original one was published, it was sorted and uniq’d, but not as well as I had thought. This updated one has been fixed which cut the size literally in half. I will start trying to blog more for those keeping an eye out.

So, this will start out as every other post does, thanking people who’ve helped with this idea! This list of people is @HackerHuntress, @spridel11, @diami03, the wife, justabill, and whiteb0rd. They helped me tremendously in getting my resume to where it is currently.

Now, with that being said let’s jump right in. Below is exactly how I have my resume. Here is a copy for yourself that you can adjust as needed.

First we have the header.

First Last Name

ADDRESS

CITY, STATE ZIP

PHONE

EMAIL

CURRENT JOB TITLE

As you can see, it’s nothing incredibly fancy. I used Microsoft Word (2007) to create my resume so copying it to here isn’t exact with the alignment and such. This portion is pretty self explanatory. Starting off, make sure that the phone number you use is one that can contact you. The email, if you do not have an email account that is professional ie: first.last@whatever.com then you better get one! I can’t tell you how many times I’ve heard of people submitting a resume with some ridiculous personal email account, which in turn gets there resume sent to one place…the trash can. It’s easy, and sad, that I must say it but I wouldn’t if it weren’t true. Next is the Current Job Title. This is mainly for people who currently have a job but are searching for a new one. If you don’t have a job, I’d suggest putting whatever you WANT to do, ie security researcher or security analyst.

Summary

(Career field) professional currently pursuing a (degree) with a major in (major) from a (NSA CAE or similar). Seeks to compliment the skills of co-workers and advance the mission of the organization by providing technical expertise and business acumen in arriving at solid (career) solutions.

This summary should be the MAIN point of your resume. This is a quick summary of you that will explain why whatever company that is looking at your resume should hire you and essentially what they’ll be missing if they don’t. Starting off, you want to list yourself as a professional in whatever field you are in. In my case, Information Security professional, but this could be Human Resources or a hundred other possibilities. If you have or are currently pursuing a degree, then you want to highlight this in your first sentence. I have listed that my school is a NSA CAE, National Security Agency Center of Academic Excellence. If you currently go to a school that is such a thing, you want to make sure it is recognized. If not try to highlight what your school is known for. Next, you want to explain why they should hire you. As you can see, I’ve crafted a very good sentence that basically tells them in extremely “fancy” terms that you want to improve their company and your co-workers abilities with your knowledge. At the end of this sentence, ensure that you tell them you want to help them arrive at solid “career” solutions, meaning information security or human resources or penetration testing (whatever your career is).

Experience

US Army

January 2006 – Present

Senior Information Systems Specialist

Oversaw Network Security Violations for 20,000 personnel and managing a team of seven.

Lead helpdesk technician for 300 people.

Maintained network and system communications for 20,000 personnel stationed in Alaska.

As you can see, yes this is directly from my resume (as I stated above). When listing things you’ve done for each job you NEVER want to say I because it’s your resume, obviously it’s about you! Think of it as a third person description of what you’ve done or if you were writing someone up for an award or promotion. It can be very difficult, but take time and ask for assistance if you need it. The way these are typed up could be the difference between getting a job based off your skills and not getting a job because the skills you list don’t mean anything to the job you’re applying for.

Education and Certifications

MOST CURRENT SCHOOL/EDUCATION

TOPIC OF STUDY, DATE – DATE

ANY AWARDS (DEAN’S LIST, HONOR GRADUATE, ETC)

NEXT OLDEST SCHOOL/EDUCATION

TOPIC OF STUDY, DATE-DATE

ANY CERTIFICATIONS YOU CURRENTLY HOLD

Lastly, you want to list your education and, if you have any, certifications. The way I recommend listing your education is from most recent to oldest, ending with your high school or GED. Ensure that whatever topics you studied, be it computer science, theater, etc, is listed since this will most likely relate to the job you are currently applying for. With saying that though, if you mainly took theater and are applying for a computer science position, I don’t suggest you list it.

If you have any questions, don’t hesitate to contact me on twitter, @drb0n3z, or comment below and I will respond when I have the chance. I don’t want to claim that I’m a professional at this, but I’ve been through a Department of Labor course specifically to help with writing resumes and finding a job in this terrible economy and have had help from HR recruiters (hackerhuntress). If you have suggestions as well, again don’t hesitate to contact me!

So awhile back Marcus Carey from ThreatAgent decided to ask for input on wordlist creation. The general idea was do you think geo data, City, State, zip codes, would be something good to include when trying to crack passwords. My instant response was yes as I’ve seen a decent amount of this type of thing. Remember the Linkedin hack, a ton of those passwords were some variation of the company’s name. So let’s start with how to get the tool.

Alright everyone, the time has come for me to finally get off my lazy @$$ and share my wordlist. Now, the main thing with this wordlist is it is a mixture of a ton of wordlists. For example, it’s including @g0tmi1k‘s 18in1, @purehate_‘s old wordlist, @tekdefense‘s random honeypot dump he gave me, @defusesec‘s 15gb wordlist that was recently released, etc. Along with those wordlists it includes TONS of dumps from @cyber_war_news‘ two sites and dumps I’ve posted along with connection to his dump site leaks-db.

I can’t thank the community and people I interact with daily enough for all the support they’ve given and teaching. This is my way of giving back.

Now, along with that the fun part…since everything I give you seems to be broken in some manner, there is a lot of the wordlists that probably need to be cut out and fixed. There are (I’m sure) hashes in this that don’t need to be there and possibly duplicate words/phrases BUT I’ve done my best to take care of that.

Mid post writing update: While uploading the file last week, @bwallhatestwits wrote a little python script to remove invalid characters. This did wonders and has made it the size it currently is.

Anything else people come up with don’t hesitate to contact me on the twatters! Much love and awkward hugs to everyone in the community!!!

So last night I was working with @bwall last night on his tool distributed-hash-solving, I ran into an issue in my MD5 pot file. It was showing NUL and other characters when viewing it in Notepad++.

After a little google-fu, I figured out a fix for it and then realized it was more then just NUL characters, it was almost every ASCII character that could be input as a two/three letter character.

We start with opening N++ and getting a sample of the character we need to remove.

As you can see, it decided to input between the hash and the correct output of the has. A text sample of it would be:

NUL0NUL0NUL0 etc…

Now the fix for this is hitting CTRL-F and choosing the Replace tab and choosing the corresponding ASCII hex character. In this case, it’s \x00 :

Now you want to select Replace ALL. It took less than a minute and replaced over 150 instances of the NUL character. The output came to this:

As you can see, properly fixed!

Now with that one character being fixed, I also ran into almost every other possible HEX character being thrown into that file. The quick list of these to check for is:

\x00 – \x08 (9 actually counting as a character in some passwords you don’t want to remove this)
\x0B – \x0F (A would do the same thing as \n, or your enter key, so again you don’t want to remove this)
\x10 – \x19
\x1A – \x1F

To ensure you ARE finding the correct characters, I recommend you hit the find next button before replacing to ensure there IS an actual character that needs to be replaced AND that you aren’t going to goof up your .pot/.txt/* file like I did the first time I did this.

If you have any questions feel free to contact me on freenode #hacktalk #intern0t #isdpodcast or #offtopicsec and on twitter @drb0n3z.